Embarrassing Oversight Leads to Exploit Hub's Compromise

Exploit Hub, an exploit marketplace orginally launched by NSS Labs in 2010, but spun off by the testing firm in March of this year, said on Tuesday that they were compromised by a quasi-rival group going by the name Inj3ct0r Team. As it turned out, the information stolen by the attackers wasn’t of any real value as it was already publicly available.

Exploit Hub is a marketplace for researchers to buy and sell publically known exploits (no o-days allowed), of which Exploit Hub takes a 30-percent cut. In a way, Exploit Hub has plenty of positive points, such as paying researchers for their work, but faces the same setbacks, including low pay scales. Yet, it is the total opposite of exploit houses like Vupen, by design.

According to a public notice on Facebook, Exploit Hub was breached on Tuesday by a group going by the name Inj3ct0r Team. Oddly enough, Inj3ct0r Team also sells exploits, most of them publically known or scraped from other sources. It would seem that they planned to add Exploit Hub’s collection to their own, but they failed.

“Today (December 11th), the Inj3ct0r Team has hacked [Exploit Hub]... and stole private exploits worth $242,333,” an announcement from the group boasted.

“We hacked [Exploit Hub] because the people who publish private exploits on [there] need know that the ExploitHub Admins are lamers and can not provide them with adequate security.”

As it turns out, the cause for the breach was a lapse in security policy.

“After our initial investigation we have determined that the web application server itself was compromised and access to the database on that server was available to the attacker. The server was compromised through an accessible install script that was left on the system rather than being removed after installation, which was an embarrassing oversight on our part,” Exploit Hub explained.

“The exploit information provided in Inj3ct0r's attack announcement text file and SQL dump consists of exploit names, prices, the dates they were submitted to the market, the Authors' IDs, and the Authors' usernames, all of which is publicly available information retrievable from the web application's normal browse and search functions; this is not private information and it was already publicly accessible by simply searching the product catalog through the website.”

The incident it still being investigated, but so far, Exploit Hub admins are reasonably sure that nothing critical was stolen or compromised. As of 0600 on Wednesday, the Exploit Hub domain remains offline.

Correction: This article originally incorrectly stated that Exploit Hub was part of NSS Labs but has been corrected to reflect that it was spun-off from NSS Labs in March Of 2012 and has been independent since.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.